oauth: ensure auth grant redirect URI matches token req

mjcheetham · mjcheetham · commit adccfaf5d504 · 2020-04-22T17:08:09.000+01:00
diff --git a/src/shared/Microsoft.Git.CredentialManager.Tests/Authentication/OAuth2ClientTests.cs b/src/shared/Microsoft.Git.CredentialManager.Tests/Authentication/OAuth2ClientTests.cs
@@ -98,7 +98,7 @@ public async Task OAuth2Client_GetTokenByAuthorizationCodeAsync()
 
             OAuth2Client client = CreateClient(httpHandler, endpoints);
 
-            var authCodeResult = new OAuth2AuthorizationCodeResult(authCode);
+            var authCodeResult = new OAuth2AuthorizationCodeResult(authCode, TestRedirectUri);
             OAuth2TokenResult result = await client.GetTokenByAuthorizationCodeAsync(authCodeResult, CancellationToken.None);
 
             Assert.NotNull(result);
diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/IOAuth2WebBrowser.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/IOAuth2WebBrowser.cs
@@ -9,6 +9,8 @@ namespace Microsoft.Git.CredentialManager.Authentication.OAuth
 {
     public interface IOAuth2WebBrowser
     {
+        Uri UpdateRedirectUri(Uri uri);
+
         Task<Uri> GetAuthenticationCodeAsync(Uri authorizationUri, Uri redirectUri, CancellationToken ct);
     }
 }
diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/OAuth2AuthorizationCodeResult.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/OAuth2AuthorizationCodeResult.cs
@@ -1,18 +1,20 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license.
+using System;
 
 namespace Microsoft.Git.CredentialManager.Authentication.OAuth
 {
     public class OAuth2AuthorizationCodeResult
     {
-        public OAuth2AuthorizationCodeResult(string code, string codeVerifier = null)
+        public OAuth2AuthorizationCodeResult(string code, Uri redirectUri = null, string codeVerifier = null)
         {
             Code = code;
+            RedirectUri = redirectUri;
             CodeVerifier = codeVerifier;
         }
 
         public string Code { get; }
-
+        public Uri RedirectUri { get; }
         public string CodeVerifier { get; }
     }
 }
diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/OAuth2Client.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/OAuth2Client.cs
@@ -104,9 +104,11 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum
                 [OAuth2Constants.AuthorizationEndpoint.PkceChallengeParameter] = codeChallenge
             };
 
+            Uri redirectUri = null;
             if (_redirectUri != null)
             {
-                queryParams[OAuth2Constants.RedirectUriParameter] = _redirectUri.ToString();
+                redirectUri = browser.UpdateRedirectUri(_redirectUri);
+                queryParams[OAuth2Constants.RedirectUriParameter] = redirectUri.ToString();
             }
 
             string scopesStr = string.Join(" ", scopes);
@@ -123,12 +125,12 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum
             Uri authorizationUri = authorizationUriBuilder.Uri;
 
             // Open the browser at the request URI to start the authorization code grant flow.
-            Uri redirectUri = await browser.GetAuthenticationCodeAsync(authorizationUri, _redirectUri, ct);
+            Uri finalUri = await browser.GetAuthenticationCodeAsync(authorizationUri, redirectUri, ct);
 
             // Check for errors serious enough we should terminate the flow, such as if the state value returned does
             // not match the one we passed. This indicates a badly implemented Authorization Server, or worse, some
             // form of failed MITM or replay attack.
-            IDictionary<string, string> redirectQueryParams = redirectUri.GetQueryParameters();
+            IDictionary<string, string> redirectQueryParams = finalUri.GetQueryParameters();
             if (!redirectQueryParams.TryGetValue(OAuth2Constants.AuthorizationGrantResponse.StateParameter, out string replyState))
             {
                 throw new OAuth2Exception($"Missing '{OAuth2Constants.AuthorizationGrantResponse.StateParameter}' in response.");
@@ -144,7 +146,7 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum
                 throw new OAuth2Exception($"Missing '{OAuth2Constants.AuthorizationGrantResponse.AuthorizationCodeParameter}' in response.");
             }
 
-            return new OAuth2AuthorizationCodeResult(authCode, codeVerifier);
+            return new OAuth2AuthorizationCodeResult(authCode, redirectUri, codeVerifier);
         }
 
         public async Task<OAuth2DeviceCodeResult> GetDeviceCodeAsync(IEnumerable<string> scopes, CancellationToken ct)
@@ -191,14 +193,14 @@ public async Task<OAuth2TokenResult> GetTokenByAuthorizationCodeAsync(OAuth2Auth
                 [OAuth2Constants.ClientIdParameter] = _clientId
             };
 
-            if (authorizationCodeResult.CodeVerifier != null)
+            if (authorizationCodeResult.RedirectUri != null)
             {
-                formData[OAuth2Constants.TokenEndpoint.PkceVerifierParameter] = authorizationCodeResult.CodeVerifier;
+                formData[OAuth2Constants.RedirectUriParameter] = authorizationCodeResult.RedirectUri.ToString();
             }
 
-            if (_redirectUri != null)
+            if (authorizationCodeResult.CodeVerifier != null)
             {
-                formData[OAuth2Constants.RedirectUriParameter] = _redirectUri.ToString();
+                formData[OAuth2Constants.TokenEndpoint.PkceVerifierParameter] = authorizationCodeResult.CodeVerifier;
             }
 
             using (HttpContent requestContent = new FormUrlEncodedContent(formData))
diff --git a/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/OAuth2SystemWebBrowser.cs b/src/shared/Microsoft.Git.CredentialManager/Authentication/OAuth/OAuth2SystemWebBrowser.cs
@@ -42,55 +42,35 @@ public OAuth2SystemWebBrowser(OAuth2WebBrowserOptions options)
             _options = options;
         }
 
-        public async Task<Uri> GetAuthenticationCodeAsync(Uri authorizationUri, Uri redirectUri, CancellationToken ct)
+        public Uri UpdateRedirectUri(Uri uri)
         {
-            if (!redirectUri.IsLoopback)
+            if (!uri.IsLoopback)
             {
-                throw new ArgumentException("Only localhost is supported as a redirect URI.", nameof(redirectUri));
+                throw new ArgumentException("Only localhost is supported as a redirect URI.", nameof(uri));
             }
 
             // If a port has been specified use it, otherwise find a free one
-            if (redirectUri.IsDefaultPort)
+            if (uri.IsDefaultPort)
             {
                 int port = GetFreeTcpPort();
-
-                UpdateLoopbackRedirectPort(port, ref authorizationUri, ref redirectUri);
+                return new UriBuilder(uri) {Port = port}.Uri;
             }
 
-            Task<Uri> interceptTask = InterceptRequestsAsync(redirectUri, ct);
-
-            OpenDefaultBrowser(authorizationUri);
-
-            return await interceptTask;
+            return uri;
         }
 
-        private void UpdateLoopbackRedirectPort(int port, ref Uri authorizationUri, ref Uri redirectUri)
+        public async Task<Uri> GetAuthenticationCodeAsync(Uri authorizationUri, Uri redirectUri, CancellationToken ct)
         {
-            IDictionary<string, string> authUriQuery = authorizationUri.GetQueryParameters();
-
-            Uri newRedirectUri = new UriBuilder(redirectUri) {Port = port}.Uri;
-
-            authUriQuery[OAuth2Constants.RedirectUriParameter] = newRedirectUri.ToString();
-
-            Uri newAuthorizationUri = new UriBuilder(authorizationUri){Query = authUriQuery.ToQueryString()}.Uri;
+            if (!redirectUri.IsLoopback)
+            {
+                throw new ArgumentException("Only localhost is supported as a redirect URI.", nameof(redirectUri));
+            }
 
-            authorizationUri = newAuthorizationUri;
-            redirectUri = newRedirectUri;
-        }
+            Task<Uri> interceptTask = InterceptRequestsAsync(redirectUri, ct);
 
-        private static int GetFreeTcpPort()
-        {
-            var listener = new TcpListener(IPAddress.Loopback, 0);
+            OpenDefaultBrowser(authorizationUri);
 
-            try
-            {
-                listener.Start();
-                return ((IPEndPoint) listener.LocalEndpoint).Port;
-            }
-            finally
-            {
-                listener.Stop();
-            }
+            return await interceptTask;
         }
 
         private void OpenDefaultBrowser(Uri uri)
@@ -205,5 +185,21 @@ string FormatError(string format)
                 }
             }
         }
+
+        private static int GetFreeTcpPort()
+        {
+            var listener = new TcpListener(IPAddress.Loopback, 0);
+
+            try
+            {
+                listener.Start();
+                return ((IPEndPoint) listener.LocalEndpoint).Port;
+            }
+            finally
+            {
+                listener.Stop();
+            }
+        }
+
     }
 }
diff --git a/src/shared/TestInfrastructure/Objects/TestOAuth2Server.cs b/src/shared/TestInfrastructure/Objects/TestOAuth2Server.cs
@@ -68,7 +68,8 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag
             }
 
             // Redirect is optional, but if it is specified it must match a registered URI
-            Uri redirectUri = app.ValidateRedirect(reqQuery[OAuth2Constants.RedirectUriParameter]);
+            reqQuery.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUriStr);
+            Uri redirectUri = app.ValidateRedirect(redirectUriStr);
 
             // Scope is optional
             reqQuery.TryGetValue(OAuth2Constants.ScopeParameter, out string scopeStr);
@@ -99,7 +100,7 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag
 
             // Create the auth code grant
             OAuth2Application.AuthCodeGrant grant = app.CreateAuthorizationCodeGrant(
-                TokenGenerator, scopes, codeChallenge, codeChallengeMethod);
+                TokenGenerator, scopes, redirectUriStr, codeChallenge, codeChallengeMethod);
 
             var respQuery = new Dictionary<string, string>
             {
@@ -189,10 +190,12 @@ private async Task<HttpResponseMessage> OnTokenEndpointAsync(HttpRequestMessage
                 }
 
                 formData.TryGetValue(OAuth2Constants.TokenEndpoint.PkceVerifierParameter, out string codeVerifier);
+                if (formData.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUriStr))
+                {
+                    app.ValidateRedirect(redirectUriStr);
+                }
 
-                app.ValidateRedirect(formData[OAuth2Constants.RedirectUriParameter]);
-
-                tokenResp = app.CreateTokenByAuthorizationGrant(TokenGenerator, authCode, codeVerifier);
+                tokenResp = app.CreateTokenByAuthorizationGrant(TokenGenerator, authCode, codeVerifier, redirectUriStr);
             }
             else if (StringComparer.OrdinalIgnoreCase.Equals(grantType, OAuth2Constants.TokenEndpoint.RefreshTokenGrantType))
             {
@@ -287,16 +290,18 @@ public class OAuth2Application
     {
         public class AuthCodeGrant
         {
-            public AuthCodeGrant(string code, string[] scopes,
+            public AuthCodeGrant(string code, string[] scopes, string redirectUri = null,
                 string codeChallenge = null, OAuth2PkceChallengeMethod codeChallengeMethod = OAuth2PkceChallengeMethod.Plain)
             {
                 Code = code;
                 Scopes = scopes;
+                RedirectUri = redirectUri;
                 CodeChallenge = codeChallenge;
                 CodeChallengeMethod = codeChallengeMethod;
             }
             public string Code { get; }
             public string[] Scopes { get; }
+            public string RedirectUri { get; }
             public string CodeChallenge { get; }
             public OAuth2PkceChallengeMethod CodeChallengeMethod { get; }
         }
@@ -336,11 +341,11 @@ public OAuth2Application(string id)
         public IDictionary<string, string[]> RefreshTokens { get; } = new Dictionary<string, string[]>();
 
         public AuthCodeGrant CreateAuthorizationCodeGrant(TestOAuth2ServerTokenGenerator generator,
-            string[] scopes, string codeChallenge, OAuth2PkceChallengeMethod codeChallengeMethod)
+            string[] scopes, string redirectUri, string codeChallenge, OAuth2PkceChallengeMethod codeChallengeMethod)
         {
             string code = generator.CreateAuthorizationCode();
 
-            var grant = new AuthCodeGrant(code, scopes, codeChallenge, codeChallengeMethod);
+            var grant = new AuthCodeGrant(code, scopes, redirectUri, codeChallenge, codeChallengeMethod);
             AuthGrants.Add(grant);
 
             return grant;
@@ -387,14 +392,15 @@ public bool IsDeviceCodeGrantApproved(string deviceCode)
         }
 
         public TokenEndpointResponseJson CreateTokenByAuthorizationGrant(
-            TestOAuth2ServerTokenGenerator generator, string authCode, string codeVerifier)
+            TestOAuth2ServerTokenGenerator generator, string authCode, string codeVerifier, string redirectUri)
         {
             var grant = AuthGrants.FirstOrDefault(x => x.Code == authCode);
             if (grant is null)
             {
                 throw new Exception($"Invalid authorization code '{authCode}'");
             }
 
+            // Validate the grant's code challenge was constructed from the given code verifier
             if (!string.IsNullOrWhiteSpace(grant.CodeChallenge))
             {
                 if (string.IsNullOrWhiteSpace(codeVerifier))
@@ -431,6 +437,13 @@ public TokenEndpointResponseJson CreateTokenByAuthorizationGrant(
                 }
             }
 
+            // If an explicit redirect URI was used as part of the authorization request then
+            // the redirect URI used for the token call must match exactly.
+            if (!string.IsNullOrWhiteSpace(grant.RedirectUri) && !StringComparer.Ordinal.Equals(grant.RedirectUri, redirectUri))
+            {
+                throw new Exception("Redirect URI must match exactly the one used when requesting the authorization code.");
+            }
+
             string accessToken = generator.CreateAccessToken();
             string refreshToken = generator.CreateRefreshToken();
 
diff --git a/src/shared/TestInfrastructure/Objects/TestOAuth2WebBrowser.cs b/src/shared/TestInfrastructure/Objects/TestOAuth2WebBrowser.cs
@@ -17,6 +17,11 @@ public TestOAuth2WebBrowser(HttpMessageHandler httpHandler)
             _httpClient = new HttpClient(httpHandler);
         }
 
+        public Uri UpdateRedirectUri(Uri uri)
+        {
+            return uri;
+        }
+
         public async Task<Uri> GetAuthenticationCodeAsync(Uri authorizationUri, Uri redirectUri, CancellationToken ct)
         {
             using (var response = await _httpClient.SendAsync(HttpMethod.Get, authorizationUri))

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ namespace Microsoft.Git.CredentialManager.Authentication.OAuth`
`9`	`9`	`{`
`10`	`10`	`public interface IOAuth2WebBrowser`
`11`	`11`	`{`
	`12`	`+ Uri UpdateRedirectUri(Uri uri);`
	`13`	`+`
`12`	`14`	`Task<Uri> GetAuthenticationCodeAsync(Uri authorizationUri, Uri redirectUri, CancellationToken ct);`
`13`	`15`	`}`
`14`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,18 +1,20 @@`
`1`	`1`	`// Copyright (c) Microsoft Corporation. All rights reserved.`
`2`	`2`	`// Licensed under the MIT license.`
	`3`	`+using System;`
`3`	`4`
`4`	`5`	`namespace Microsoft.Git.CredentialManager.Authentication.OAuth`
`5`	`6`	`{`
`6`	`7`	`public class OAuth2AuthorizationCodeResult`
`7`	`8`	`{`
`8`		`- public OAuth2AuthorizationCodeResult(string code, string codeVerifier = null)`
	`9`	`+ public OAuth2AuthorizationCodeResult(string code, Uri redirectUri = null, string codeVerifier = null)`
`9`	`10`	`{`
`10`	`11`	`Code = code;`
	`12`	`+ RedirectUri = redirectUri;`
`11`	`13`	`CodeVerifier = codeVerifier;`
`12`	`14`	`}`
`13`	`15`
`14`	`16`	`public string Code { get; }`
`15`		`-`
	`17`	`+ public Uri RedirectUri { get; }`
`16`	`18`	`public string CodeVerifier { get; }`
`17`	`19`	`}`
`18`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -104,9 +104,11 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum`
`104`	`104`	`[OAuth2Constants.AuthorizationEndpoint.PkceChallengeParameter] = codeChallenge`
`105`	`105`	`};`
`106`	`106`
	`107`	`+ Uri redirectUri = null;`
`107`	`108`	`if (_redirectUri != null)`
`108`	`109`	`{`
`109`		`- queryParams[OAuth2Constants.RedirectUriParameter] = _redirectUri.ToString();`
	`110`	`+ redirectUri = browser.UpdateRedirectUri(_redirectUri);`
	`111`	`+ queryParams[OAuth2Constants.RedirectUriParameter] = redirectUri.ToString();`
`110`	`112`	`}`
`111`	`113`
`112`	`114`	`string scopesStr = string.Join(" ", scopes);`
`@@ -123,12 +125,12 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum`
`123`	`125`	`Uri authorizationUri = authorizationUriBuilder.Uri;`
`124`	`126`
`125`	`127`	`// Open the browser at the request URI to start the authorization code grant flow.`
`126`		`- Uri redirectUri = await browser.GetAuthenticationCodeAsync(authorizationUri, _redirectUri, ct);`
	`128`	`+ Uri finalUri = await browser.GetAuthenticationCodeAsync(authorizationUri, redirectUri, ct);`
`127`	`129`
`128`	`130`	`// Check for errors serious enough we should terminate the flow, such as if the state value returned does`
`129`	`131`	`// not match the one we passed. This indicates a badly implemented Authorization Server, or worse, some`
`130`	`132`	`// form of failed MITM or replay attack.`
`131`		`- IDictionary<string, string> redirectQueryParams = redirectUri.GetQueryParameters();`
	`133`	`+ IDictionary<string, string> redirectQueryParams = finalUri.GetQueryParameters();`
`132`	`134`	`if (!redirectQueryParams.TryGetValue(OAuth2Constants.AuthorizationGrantResponse.StateParameter, out string replyState))`
`133`	`135`	`{`
`134`	`136`	`throw new OAuth2Exception($"Missing '{OAuth2Constants.AuthorizationGrantResponse.StateParameter}' in response.");`
`@@ -144,7 +146,7 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum`
`144`	`146`	`throw new OAuth2Exception($"Missing '{OAuth2Constants.AuthorizationGrantResponse.AuthorizationCodeParameter}' in response.");`
`145`	`147`	`}`
`146`	`148`
`147`		`- return new OAuth2AuthorizationCodeResult(authCode, codeVerifier);`
	`149`	`+ return new OAuth2AuthorizationCodeResult(authCode, redirectUri, codeVerifier);`
`148`	`150`	`}`
`149`	`151`
`150`	`152`	`public async Task<OAuth2DeviceCodeResult> GetDeviceCodeAsync(IEnumerable<string> scopes, CancellationToken ct)`
`@@ -191,14 +193,14 @@ public async Task<OAuth2TokenResult> GetTokenByAuthorizationCodeAsync(OAuth2Auth`
`191`	`193`	`[OAuth2Constants.ClientIdParameter] = _clientId`
`192`	`194`	`};`
`193`	`195`
`194`		`- if (authorizationCodeResult.CodeVerifier != null)`
	`196`	`+ if (authorizationCodeResult.RedirectUri != null)`
`195`	`197`	`{`
`196`		`- formData[OAuth2Constants.TokenEndpoint.PkceVerifierParameter] = authorizationCodeResult.CodeVerifier;`
	`198`	`+ formData[OAuth2Constants.RedirectUriParameter] = authorizationCodeResult.RedirectUri.ToString();`
`197`	`199`	`}`
`198`	`200`
`199`		`- if (_redirectUri != null)`
	`201`	`+ if (authorizationCodeResult.CodeVerifier != null)`
`200`	`202`	`{`
`201`		`- formData[OAuth2Constants.RedirectUriParameter] = _redirectUri.ToString();`
	`203`	`+ formData[OAuth2Constants.TokenEndpoint.PkceVerifierParameter] = authorizationCodeResult.CodeVerifier;`
`202`	`204`	`}`
`203`	`205`
`204`	`206`	`using (HttpContent requestContent = new FormUrlEncodedContent(formData))`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,8 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`// Redirect is optional, but if it is specified it must match a registered URI`
`71`		`- Uri redirectUri = app.ValidateRedirect(reqQuery[OAuth2Constants.RedirectUriParameter]);`
	`71`	`+ reqQuery.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUriStr);`
	`72`	`+ Uri redirectUri = app.ValidateRedirect(redirectUriStr);`
`72`	`73`
`73`	`74`	`// Scope is optional`
`74`	`75`	`reqQuery.TryGetValue(OAuth2Constants.ScopeParameter, out string scopeStr);`
`@@ -99,7 +100,7 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag`
`99`	`100`
`100`	`101`	`// Create the auth code grant`
`101`	`102`	`OAuth2Application.AuthCodeGrant grant = app.CreateAuthorizationCodeGrant(`
`102`		`- TokenGenerator, scopes, codeChallenge, codeChallengeMethod);`
	`103`	`+ TokenGenerator, scopes, redirectUriStr, codeChallenge, codeChallengeMethod);`
`103`	`104`
`104`	`105`	`var respQuery = new Dictionary<string, string>`
`105`	`106`	`{`
`@@ -189,10 +190,12 @@ private async Task<HttpResponseMessage> OnTokenEndpointAsync(HttpRequestMessage`
`189`	`190`	`}`
`190`	`191`
`191`	`192`	`formData.TryGetValue(OAuth2Constants.TokenEndpoint.PkceVerifierParameter, out string codeVerifier);`
	`193`	`+ if (formData.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUriStr))`
	`194`	`+ {`
	`195`	`+ app.ValidateRedirect(redirectUriStr);`
	`196`	`+ }`
`192`	`197`
`193`		`- app.ValidateRedirect(formData[OAuth2Constants.RedirectUriParameter]);`
`194`		`-`
`195`		`- tokenResp = app.CreateTokenByAuthorizationGrant(TokenGenerator, authCode, codeVerifier);`
	`198`	`+ tokenResp = app.CreateTokenByAuthorizationGrant(TokenGenerator, authCode, codeVerifier, redirectUriStr);`
`196`	`199`	`}`
`197`	`200`	`else if (StringComparer.OrdinalIgnoreCase.Equals(grantType, OAuth2Constants.TokenEndpoint.RefreshTokenGrantType))`
`198`	`201`	`{`
`@@ -287,16 +290,18 @@ public class OAuth2Application`
`287`	`290`	`{`
`288`	`291`	`public class AuthCodeGrant`
`289`	`292`	`{`
`290`		`- public AuthCodeGrant(string code, string[] scopes,`
	`293`	`+ public AuthCodeGrant(string code, string[] scopes, string redirectUri = null,`
`291`	`294`	`string codeChallenge = null, OAuth2PkceChallengeMethod codeChallengeMethod = OAuth2PkceChallengeMethod.Plain)`
`292`	`295`	`{`
`293`	`296`	`Code = code;`
`294`	`297`	`Scopes = scopes;`
	`298`	`+ RedirectUri = redirectUri;`
`295`	`299`	`CodeChallenge = codeChallenge;`
`296`	`300`	`CodeChallengeMethod = codeChallengeMethod;`
`297`	`301`	`}`
`298`	`302`	`public string Code { get; }`
`299`	`303`	`public string[] Scopes { get; }`
	`304`	`+ public string RedirectUri { get; }`
`300`	`305`	`public string CodeChallenge { get; }`
`301`	`306`	`public OAuth2PkceChallengeMethod CodeChallengeMethod { get; }`
`302`	`307`	`}`
`@@ -336,11 +341,11 @@ public OAuth2Application(string id)`
`336`	`341`	`public IDictionary<string, string[]> RefreshTokens { get; } = new Dictionary<string, string[]>();`
`337`	`342`
`338`	`343`	`public AuthCodeGrant CreateAuthorizationCodeGrant(TestOAuth2ServerTokenGenerator generator,`
`339`		`- string[] scopes, string codeChallenge, OAuth2PkceChallengeMethod codeChallengeMethod)`
	`344`	`+ string[] scopes, string redirectUri, string codeChallenge, OAuth2PkceChallengeMethod codeChallengeMethod)`
`340`	`345`	`{`
`341`	`346`	`string code = generator.CreateAuthorizationCode();`
`342`	`347`
`343`		`- var grant = new AuthCodeGrant(code, scopes, codeChallenge, codeChallengeMethod);`
	`348`	`+ var grant = new AuthCodeGrant(code, scopes, redirectUri, codeChallenge, codeChallengeMethod);`
`344`	`349`	`AuthGrants.Add(grant);`
`345`	`350`
`346`	`351`	`return grant;`
`@@ -387,14 +392,15 @@ public bool IsDeviceCodeGrantApproved(string deviceCode)`
`387`	`392`	`}`
`388`	`393`
`389`	`394`	`public TokenEndpointResponseJson CreateTokenByAuthorizationGrant(`
`390`		`- TestOAuth2ServerTokenGenerator generator, string authCode, string codeVerifier)`
	`395`	`+ TestOAuth2ServerTokenGenerator generator, string authCode, string codeVerifier, string redirectUri)`
`391`	`396`	`{`
`392`	`397`	`var grant = AuthGrants.FirstOrDefault(x => x.Code == authCode);`
`393`	`398`	`if (grant is null)`
`394`	`399`	`{`
`395`	`400`	`throw new Exception($"Invalid authorization code '{authCode}'");`
`396`	`401`	`}`
`397`	`402`
	`403`	`+ // Validate the grant's code challenge was constructed from the given code verifier`
`398`	`404`	`if (!string.IsNullOrWhiteSpace(grant.CodeChallenge))`
`399`	`405`	`{`
`400`	`406`	`if (string.IsNullOrWhiteSpace(codeVerifier))`
`@@ -431,6 +437,13 @@ public TokenEndpointResponseJson CreateTokenByAuthorizationGrant(`
`431`	`437`	`}`
`432`	`438`	`}`
`433`	`439`
	`440`	`+ // If an explicit redirect URI was used as part of the authorization request then`
	`441`	`+ // the redirect URI used for the token call must match exactly.`
	`442`	`+ if (!string.IsNullOrWhiteSpace(grant.RedirectUri) && !StringComparer.Ordinal.Equals(grant.RedirectUri, redirectUri))`
	`443`	`+ {`
	`444`	`+ throw new Exception("Redirect URI must match exactly the one used when requesting the authorization code.");`
	`445`	`+ }`
	`446`	`+`
`434`	`447`	`string accessToken = generator.CreateAccessToken();`
`435`	`448`	`string refreshToken = generator.CreateRefreshToken();`
`436`	`449`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,11 @@ public TestOAuth2WebBrowser(HttpMessageHandler httpHandler)`
`17`	`17`	`_httpClient = new HttpClient(httpHandler);`
`18`	`18`	`}`
`19`	`19`
	`20`	`+ public Uri UpdateRedirectUri(Uri uri)`
	`21`	`+ {`
	`22`	`+ return uri;`
	`23`	`+ }`
	`24`	`+`
`20`	`25`	`public async Task<Uri> GetAuthenticationCodeAsync(Uri authorizationUri, Uri redirectUri, CancellationToken ct)`
`21`	`26`	`{`
`22`	`27`	`using (var response = await _httpClient.SendAsync(HttpMethod.Get, authorizationUri))`